Support us

Data Protection Policy

Not A Phase Data Protection Policy

Not A Phase is committed to protecting the privacy and security of personal information. This policy outlines our approach to data protection and our responsibilities in processing personal data in compliance with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

The purpose of this policy is to:

  • Ensure compliance with data protection law.
  • Protect the rights of staff, volunteers, beneficiaries, and other individuals whose personal data we process.

       • Provide transparency about how we collect, use, and store personal data.

This policy applies to all staff, trustees, volunteers, and anyone working on behalf of Not A Phase.

Data Protection Principles

We adhere to the following principles when processing personal data:

  • Lawfulness, Fairness, and Transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data Minimisation: Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
  • Storage Limitation: Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary.

        • Integrity and Confidentiality: Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction,             or damage.

Legal Basis for Processing

We process personal data on the following legal bases:

  • Consent: The data subject has given clear consent for us to process their personal data for a specific purpose.
  • Contract: The processing is necessary for a contract we have with the data subject or because they have asked us to take specific steps before entering into a contract.
  • Legal Obligation: The processing is necessary for us to comply with the law.

       • Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party, provided the data subject’s rights and interests do not override those interests.

Data Subject Rights

Individuals have the following rights regarding their personal data:

  • The right to be informed: Individuals have the right to be informed about the collection and use of their personal data.
  • The right of access: Individuals have the right to access their personal data and supplementary information.
  • The right to rectification: Individuals have the right to have inaccurate personal data rectified or completed if it is incomplete.
  • The right to erasure: Individuals have the right to have personal data erased.
  • The right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data.
  • The right to data portability: Individuals have the right to obtain and reuse their personal data for their own purposes across different services.
  • The right to object: Individuals have the right to object to the processing of their personal data in certain circumstances.

       • Rights in relation to automated decision making and profiling: Individuals have the right to not be subject to a decision based solely on automated processing, including profiling.

Data Security

We implement appropriate technical and organisational measures to ensure the security of personal data. This includes:

  • Ensuring personal data is encrypted and stored securely.
  • Limiting access to personal data to authorised individuals.

       • Regularly reviewing and updating our security measures.

Data Breaches

We have procedures in place to detect, report, and investigate personal data breaches. In the event of a data breach, we will notify the Information Commissioner’s Office (ICO) within 72 hours and, if necessary, the affected individuals.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Responsibilities
  • Data Protection Officer (DPO): The DPO is responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

       • All Staff and Volunteers: All staff and volunteers are responsible for understanding and adhering to this policy.

Training

All staff and volunteers will receive training on data protection principles and practices to ensure compliance with this policy.

Reviewing

This policy will be reviewed annually or in response to significant changes in legislation or organisational changes.

Contact Information

For further information or to report a data protection concern, please contact:

  • Data Protection Officer: Lewis Williams – lewis@notaphase.org
  • Information Commissioner’s Office (ICO): https://ico.org.uk/